[apple/security.git] / SecurityTests / clxutils / importExport / importExportOpensshTool

#! /bin/csh -f
#
# Run one iteration of OpenSSH portion of import/export tests.
# Only used as a subroutine call from importExportOpenssh.
#
# Arguments (all required):
#
# privKey
# privKeyFormat       -- ssh1|ssh1Wrap|ssh2|ssh2Wrap
# pubKey
# pubKeyFormat        -- ssh1|ssh2
# algorithm           -- rsa|dsa
# quiet               -- YES|NO
# noACL               -- YES|NO
# securePassphrase    -- YES|NO
# noClean             -- YES|NO
# 
# If incoming private key is wrapped, we assume it has password "password" 
# without the quotes.
# 
# We assume the presence of keychain $KEYCHAIN_PATH, which we clean out before 
# using.
#
if ( $#argv != 9 ) then
    echo See importExportOpensshTool script for usage.
	exit(1)
endif

source setupCommon

set PRIV_KEY_IN=$argv[1]
set PRIV_KEY_FORM=$argv[2]
set PUB_KEY_IN=$argv[3]
set PUB_KEY_FORM=$argv[4]
set ALG_ARG=
set KEY_ALG=$argv[5]
if($KEY_ALG == dsa) then
	set ALG_ARG="a=d"
endif
set QUIET=$argv[6]
set QUIET_ARG=
if ($QUIET == YES) then
	set QUIET_ARG=-q
endif
set NOACL_ARG=
if ($argv[7] == YES) then
	set NOACL_ARG=-n
endif
set SECURE_PHRASE_ARG=
if ($argv[8] == YES) then
	set SECURE_PHRASE_ARG=-Z
endif
set NOCLEAN=$argv[9]

set SSHKEY=$BUILD_DIR/sshKey

if ($QUIET == NO) then
	echo -- Testing SSH privFormat $PRIV_KEY_FORM pubFormat $PUB_KEY_FORM --
endif

#
# rsatool filename - it has particular requirements here...
# All of are produced by exporting from a keychain. 
# 
set RSA_TOOL_FILENAME=$BUILD_DIR/rawSshKey
set RAW_PRIV_KEY=${RSA_TOOL_FILENAME}_priv.der
set RAW_PUB_KEY=${RSA_TOOL_FILENAME}_pub.der

#
# The file we sign with rsatool, in cwd, and a signature file.
#
set PLAINTEXT=somePlainText
set SIGFILE=$BUILD_DIR/sig

set PASSWORD=password

# empty the keychain 
if ($QUIET == NO) then
	echo $CLEANKC
endif
$CLEANKC || exit(1)

# 
# Import incoming private key, export to unencrypted format.
# Wrapped SSH1 --> SSH1
# Wrapped SSH2 = Wrapped Openssl --> OpenSSL = PKCS1. 
# SSH2 = OpenSSL/PEM = PKCS1/PEM --> OpenSSL = PKCS1.
#
# Note 
#
set RAW_PRIV_KEY_FORM=$PRIV_KEY_FORM
set DO_CONVERT=no
# these are for kcImport/kcExport
set IN_FORM=foo
set OUT_FORM=foo
# these are for rsatool 
set RSA_PUB_FORM=foo
set RSA_PRIV_FORM=foo

switch( $PRIV_KEY_FORM )
	case ssh1Wrap:
		set DO_CONVERT=yes
		set IN_FORM=openssh1
		set OUT_FORM=openssh1
		set RSA_PRIV_FORM=s
		breaksw
	case ssh2Wrap:
		set DO_CONVERT=yes
		set IN_FORM=openssl
		set OUT_FORM=openssl
		if($KEY_ALG == rsa) then
			set RSA_PRIV_FORM=1
		else
			set RSA_PRIV_FORM=o
		endif
		breaksw
	case ssh1:
		set DO_CONVERT=no
		set IN_FORM=openssh1
		set OUT_FORM=openssh1
		set RSA_PRIV_FORM=s
		breaksw
	case ssh2:
		set DO_CONVERT=no
		set IN_FORM=openssl
		set OUT_FORM=openssl
		if($KEY_ALG == rsa) then
			set RSA_PRIV_FORM=1
		else
			set RSA_PRIV_FORM=o
		endif
		breaksw
	default:
		echo See importExportOpensshTool script for usage.
		exit(1)
endsw

#
# Note we always import private keys with the -e option so we can export in the clear.
#
if($DO_CONVERT == yes) then
	if ($QUIET == NO) then
		echo Importing wrapped private key...
	endif
	set cmd="$KCIMPORT $PRIV_KEY_IN -k $KEYCHAIN -z $PASSWORD -t priv -f $IN_FORM -w -e -K 1 $QUIET_ARG $NOACL_ARG $SECURE_PHRASE_ARG"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd || exit(1)
else
	if ($QUIET == NO) then
		echo Importing cleartext private key...
	endif
	set cmd="$KCIMPORT $PRIV_KEY_IN -k $KEYCHAIN -t priv -f $IN_FORM -e -K 1 $QUIET_ARG $NOACL_ARG"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd || exit(1)
endif

#
# Export to cleartext private key format
#
if ($QUIET == NO) then
	echo Exporting to cleartext private key...
endif
set cmd="$KCEXPORT $KEYCHAIN -t privKeys -f $OUT_FORM -o $RAW_PRIV_KEY $QUIET_ARG"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

#
# Import public key, and re-export it. When we're thru with this for all combinations 
# of keys sent to us by importExportOpenssh, we know we can read every format that 
# OpenSSH can generate. 
#
switch( $PUB_KEY_FORM )
	case ssh1:
		set IN_FORM=openssh1
		set OUT_FORM=openssh1
		set RSA_PUB_FORM=o
		breaksw
	case ssh2:
		set IN_FORM=openssh2
		set OUT_FORM=openssh2
		set RSA_PUB_FORM=O
		breaksw
	default:
		echo See importExportOpensshTool script for usage.
		exit(1)
endsw

if ($QUIET == NO) then
	echo Importing public...
endif
set cmd="$KCIMPORT $PUB_KEY_IN -k $KEYCHAIN -t pub -f $IN_FORM -K 1 $QUIET_ARG"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

#
# Export public key
#
if ($QUIET == NO) then
	echo Exporting public key...
endif
set cmd="$KCEXPORT $KEYCHAIN -t pubKeys -f $OUT_FORM -o $RAW_PUB_KEY $QUIET_ARG"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# 
# Sign and verify.
#
set cmd="$RSATOOL s p=$PLAINTEXT s=$SIGFILE k=$RSA_TOOL_FILENAME v=$RSA_PRIV_FORM $ALG_ARG q"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)
set cmd="$RSATOOL v p=$PLAINTEXT s=$SIGFILE k=$RSA_TOOL_FILENAME b=$RSA_PUB_FORM $ALG_ARG q"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

#
# The incoming public key and the one we exported from the keychain should be identical.
#
set cmd="$CMP $PUB_KEY_IN $RAW_PUB_KEY"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd 
if($status != 0) then 
	echo MISCOMPARE on public key form $PUB_KEY_FORM
	exit(1)
endif

#
# Verifying private keys is a little tricker. Only cleartext ssh2 keys can be
# verified by byte-for-byte compare, and then only after exporting them again
# in PEM armour. All the others have random data added. 
#
set PEM_PRIV_KEY=$BUILD_DIR/pemPrivKey
if($PRIV_KEY_FORM == ssh2) then
	set cmd="$KCEXPORT $KEYCHAIN -t privKeys -f openssl -p -o $PEM_PRIV_KEY $QUIET_ARG"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd || exit(1)
	set cmd="$CMP $PRIV_KEY_IN $PEM_PRIV_KEY"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd 
	if($status != 0) then 
		echo MISCOMPARE on private key form $PRIV_KEY_FORM
		exit(1)
	endif
endif

#
# We've verified that we write the following formats identically to OpenSSH:
#   -- public ssh1
#   -- public ssh2
#   -- private unwrapped ssh2 (a.k.a. OpenSSL w/PEM)
# 
# Since private wrapped SSH2 keys are in a format that we've verified 
# extensively elsewhere (OpenSSL, in the importExportOpensslWrap script), 
# all we really need to test here is ssh1 format. We'll test that
# via parsing keys with the sshKey program and comparing the output. 
# This also verifies the comments in the generated keys, which should
# always match the comment of the original key (ssh-keygen key, import
# that, the resulting C item's PrintName has the comment; export that
# KC item and the original comment gets embedded in the new key).
#
set DONE=no
set PWDARG=
switch( $PRIV_KEY_FORM )
	case ssh1:
		set PWDARG=-P
		breaksw
	case ssh1Wrap:
		set PWDARG="-p $PASSWORD"
		breaksw
	case ssh2Wrap:
	case ssh2:
		set DONE=yes
		breaksw
	default:
		echo BRRZZZAP! Missed one here! PRIV_KEY_FORM $PRIV_KEY_FORM
		exit(1)
endsw

set PARSE_REF=$BUILD_DIR/parseRef
set PARSE_GEN=$BUILD_DIR/parseGen

if($DONE == no) then

	if ($QUIET == NO) then
		echo Parsing $PRIV_KEY_IN and $RAW_PRIV_KEY....
	endif
	set cmd="$SSHKEY -i $PRIV_KEY_IN -r -f ssh1 -v $PWDARG"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd > $PARSE_REF
	if($status != 0) then
		echo Error parsing $PRIV_KEY_IN.
		exit(1)
	endif
	set cmd="$SSHKEY -i $RAW_PRIV_KEY -r -f ssh1 -v -P"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd > $PARSE_GEN
	if($status != 0) then
		echo Error parsing $RAW_PRIV_KEY.
		exit(1)
	endif
	set cmd="$CMP $PARSE_GEN $PARSE_REF"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd 
	if($status != 0) then 
		echo MISCOMPARE on parsed private keys
		exit(1)
	endif
endif

# 
# cleanup
#
if($NOCLEAN == NO) then
	set cmd="rm -f $RAW_PRIV_KEY $RAW_PUB_KEY $SIGFILE $PEM_PRIV_KEY $PARSE_REF $PARSE_GEN"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd || exit(1)
endif
Commit	Line	Data
d8f41ccd A	1	#! /bin/csh -f
	2	#
	3	# Run one iteration of OpenSSH portion of import/export tests.
	4	# Only used as a subroutine call from importExportOpenssh.
	5	#
	6	# Arguments (all required):
	7	#
	8	# privKey
	9	# privKeyFormat -- ssh1\|ssh1Wrap\|ssh2\|ssh2Wrap
	10	# pubKey
	11	# pubKeyFormat -- ssh1\|ssh2
	12	# algorithm -- rsa\|dsa
	13	# quiet -- YES\|NO
	14	# noACL -- YES\|NO
	15	# securePassphrase -- YES\|NO
	16	# noClean -- YES\|NO
	17	#
	18	# If incoming private key is wrapped, we assume it has password "password"
	19	# without the quotes.
	20	#
	21	# We assume the presence of keychain $KEYCHAIN_PATH, which we clean out before
	22	# using.
	23	#
	24	if ( $#argv != 9 ) then
	25	echo See importExportOpensshTool script for usage.
	26	exit(1)
	27	endif
	28
	29	source setupCommon
	30
	31	set PRIV_KEY_IN=$argv[1]
	32	set PRIV_KEY_FORM=$argv[2]
	33	set PUB_KEY_IN=$argv[3]
	34	set PUB_KEY_FORM=$argv[4]
	35	set ALG_ARG=
	36	set KEY_ALG=$argv[5]
	37	if($KEY_ALG == dsa) then
	38	set ALG_ARG="a=d"
	39	endif
	40	set QUIET=$argv[6]
	41	set QUIET_ARG=
	42	if ($QUIET == YES) then
	43	set QUIET_ARG=-q
	44	endif
	45	set NOACL_ARG=
	46	if ($argv[7] == YES) then
	47	set NOACL_ARG=-n
	48	endif
	49	set SECURE_PHRASE_ARG=
	50	if ($argv[8] == YES) then
	51	set SECURE_PHRASE_ARG=-Z
	52	endif
	53	set NOCLEAN=$argv[9]
	54
	55	set SSHKEY=$BUILD_DIR/sshKey
	56
	57	if ($QUIET == NO) then
	58	echo -- Testing SSH privFormat $PRIV_KEY_FORM pubFormat $PUB_KEY_FORM --
	59	endif
	60
	61	#
	62	# rsatool filename - it has particular requirements here...
	63	# All of are produced by exporting from a keychain.
	64	#
65	set RSA_TOOL_FILENAME=$BUILD_DIR/rawSshKey
66	set RAW_PRIV_KEY=${RSA_TOOL_FILENAME}_priv.der
67	set RAW_PUB_KEY=${RSA_TOOL_FILENAME}_pub.der
68
69	#
70	# The file we sign with rsatool, in cwd, and a signature file.
71	#
72	set PLAINTEXT=somePlainText
73	set SIGFILE=$BUILD_DIR/sig
74
75	set PASSWORD=password
76
77	# empty the keychain
78	if ($QUIET == NO) then
79	echo $CLEANKC
80	endif
81	$CLEANKC \|\| exit(1)
82
83	#
84	# Import incoming private key, export to unencrypted format.
85	# Wrapped SSH1 --> SSH1
86	# Wrapped SSH2 = Wrapped Openssl --> OpenSSL = PKCS1.
87	# SSH2 = OpenSSL/PEM = PKCS1/PEM --> OpenSSL = PKCS1.
88	#
89	# Note
90	#
91	set RAW_PRIV_KEY_FORM=$PRIV_KEY_FORM
92	set DO_CONVERT=no
93	# these are for kcImport/kcExport
94	set IN_FORM=foo
95	set OUT_FORM=foo
96	# these are for rsatool
97	set RSA_PUB_FORM=foo
98	set RSA_PRIV_FORM=foo
99
100	switch( $PRIV_KEY_FORM )
101	case ssh1Wrap:
102	set DO_CONVERT=yes
103	set IN_FORM=openssh1
104	set OUT_FORM=openssh1
105	set RSA_PRIV_FORM=s
106	breaksw
107	case ssh2Wrap:
108	set DO_CONVERT=yes
109	set IN_FORM=openssl
110	set OUT_FORM=openssl
111	if($KEY_ALG == rsa) then
112	set RSA_PRIV_FORM=1
113	else
114	set RSA_PRIV_FORM=o
115	endif
116	breaksw
117	case ssh1:
118	set DO_CONVERT=no
119	set IN_FORM=openssh1
120	set OUT_FORM=openssh1
121	set RSA_PRIV_FORM=s
122	breaksw
123	case ssh2:
124	set DO_CONVERT=no
125	set IN_FORM=openssl
126	set OUT_FORM=openssl
127	if($KEY_ALG == rsa) then
128	set RSA_PRIV_FORM=1
129	else
130	set RSA_PRIV_FORM=o
131	endif
132	breaksw
133	default:
134	echo See importExportOpensshTool script for usage.
135	exit(1)
136	endsw
137
138	#
139	# Note we always import private keys with the -e option so we can export in the clear.
140	#
141	if($DO_CONVERT == yes) then
142	if ($QUIET == NO) then
143	echo Importing wrapped private key...
144	endif
145	set cmd="$KCIMPORT $PRIV_KEY_IN -k $KEYCHAIN -z $PASSWORD -t priv -f $IN_FORM -w -e -K 1 $QUIET_ARG $NOACL_ARG $SECURE_PHRASE_ARG"
146	if ($QUIET == NO) then
147	echo $cmd
148	endif
149	$cmd \|\| exit(1)
150	else
151	if ($QUIET == NO) then
152	echo Importing cleartext private key...
153	endif
154	set cmd="$KCIMPORT $PRIV_KEY_IN -k $KEYCHAIN -t priv -f $IN_FORM -e -K 1 $QUIET_ARG $NOACL_ARG"
155	if ($QUIET == NO) then
156	echo $cmd
157	endif
158	$cmd \|\| exit(1)
159	endif
160
161	#
162	# Export to cleartext private key format
163	#
164	if ($QUIET == NO) then
165	echo Exporting to cleartext private key...
166	endif
167	set cmd="$KCEXPORT $KEYCHAIN -t privKeys -f $OUT_FORM -o $RAW_PRIV_KEY $QUIET_ARG"
168	if ($QUIET == NO) then
169	echo $cmd
170	endif
171	$cmd \|\| exit(1)
172
173	#
174	# Import public key, and re-export it. When we're thru with this for all combinations
175	# of keys sent to us by importExportOpenssh, we know we can read every format that
176	# OpenSSH can generate.
177	#
178	switch( $PUB_KEY_FORM )
179	case ssh1:
180	set IN_FORM=openssh1
181	set OUT_FORM=openssh1
182	set RSA_PUB_FORM=o
183	breaksw
184	case ssh2:
185	set IN_FORM=openssh2
186	set OUT_FORM=openssh2
187	set RSA_PUB_FORM=O
188	breaksw
189	default:
190	echo See importExportOpensshTool script for usage.
191	exit(1)
192	endsw
193
194	if ($QUIET == NO) then
195	echo Importing public...
196	endif
197	set cmd="$KCIMPORT $PUB_KEY_IN -k $KEYCHAIN -t pub -f $IN_FORM -K 1 $QUIET_ARG"
198	if ($QUIET == NO) then
199	echo $cmd
200	endif
201	$cmd \|\| exit(1)
202
203	#
204	# Export public key
205	#
206	if ($QUIET == NO) then
207	echo Exporting public key...
208	endif
209	set cmd="$KCEXPORT $KEYCHAIN -t pubKeys -f $OUT_FORM -o $RAW_PUB_KEY $QUIET_ARG"
210	if ($QUIET == NO) then
211	echo $cmd
212	endif
213	$cmd \|\| exit(1)
214
215	#
216	# Sign and verify.
217	#
218	set cmd="$RSATOOL s p=$PLAINTEXT s=$SIGFILE k=$RSA_TOOL_FILENAME v=$RSA_PRIV_FORM $ALG_ARG q"
219	if ($QUIET == NO) then
220	echo $cmd
221	endif
222	$cmd \|\| exit(1)
223	set cmd="$RSATOOL v p=$PLAINTEXT s=$SIGFILE k=$RSA_TOOL_FILENAME b=$RSA_PUB_FORM $ALG_ARG q"
224	if ($QUIET == NO) then
225	echo $cmd
226	endif
227	$cmd \|\| exit(1)
228
229	#
230	# The incoming public key and the one we exported from the keychain should be identical.
231	#
232	set cmd="$CMP $PUB_KEY_IN $RAW_PUB_KEY"
233	if ($QUIET == NO) then
234	echo $cmd
235	endif
236	$cmd
237	if($status != 0) then
238	echo MISCOMPARE on public key form $PUB_KEY_FORM
239	exit(1)
240	endif
241
242	#
243	# Verifying private keys is a little tricker. Only cleartext ssh2 keys can be
244	# verified by byte-for-byte compare, and then only after exporting them again
245	# in PEM armour. All the others have random data added.
246	#
247	set PEM_PRIV_KEY=$BUILD_DIR/pemPrivKey
248	if($PRIV_KEY_FORM == ssh2) then
249	set cmd="$KCEXPORT $KEYCHAIN -t privKeys -f openssl -p -o $PEM_PRIV_KEY $QUIET_ARG"
250	if ($QUIET == NO) then
251	echo $cmd
252	endif
253	$cmd \|\| exit(1)
254	set cmd="$CMP $PRIV_KEY_IN $PEM_PRIV_KEY"
255	if ($QUIET == NO) then
256	echo $cmd
257	endif
258	$cmd
259	if($status != 0) then
260	echo MISCOMPARE on private key form $PRIV_KEY_FORM
261	exit(1)
262	endif
263	endif
264
265	#
266	# We've verified that we write the following formats identically to OpenSSH:
267	# -- public ssh1
268	# -- public ssh2
269	# -- private unwrapped ssh2 (a.k.a. OpenSSL w/PEM)
270	#
271	# Since private wrapped SSH2 keys are in a format that we've verified
272	# extensively elsewhere (OpenSSL, in the importExportOpensslWrap script),
273	# all we really need to test here is ssh1 format. We'll test that
274	# via parsing keys with the sshKey program and comparing the output.
275	# This also verifies the comments in the generated keys, which should
276	# always match the comment of the original key (ssh-keygen key, import
277	# that, the resulting C item's PrintName has the comment; export that
278	# KC item and the original comment gets embedded in the new key).
279	#
280	set DONE=no
281	set PWDARG=
282	switch( $PRIV_KEY_FORM )
283	case ssh1:
284	set PWDARG=-P
285	breaksw
286	case ssh1Wrap:
287	set PWDARG="-p $PASSWORD"
288	breaksw
289	case ssh2Wrap:
290	case ssh2:
291	set DONE=yes
292	breaksw
293	default:
294	echo BRRZZZAP! Missed one here! PRIV_KEY_FORM $PRIV_KEY_FORM
295	exit(1)
296	endsw
297
298	set PARSE_REF=$BUILD_DIR/parseRef
299	set PARSE_GEN=$BUILD_DIR/parseGen
300
301	if($DONE == no) then
302
303	if ($QUIET == NO) then
304	echo Parsing $PRIV_KEY_IN and $RAW_PRIV_KEY....
305	endif
306	set cmd="$SSHKEY -i $PRIV_KEY_IN -r -f ssh1 -v $PWDARG"
307	if ($QUIET == NO) then
308	echo $cmd
309	endif
310	$cmd > $PARSE_REF
311	if($status != 0) then
312	echo Error parsing $PRIV_KEY_IN.
313	exit(1)
314	endif
315	set cmd="$SSHKEY -i $RAW_PRIV_KEY -r -f ssh1 -v -P"
316	if ($QUIET == NO) then
317	echo $cmd
318	endif
319	$cmd > $PARSE_GEN
320	if($status != 0) then
321	echo Error parsing $RAW_PRIV_KEY.
322	exit(1)
323	endif
324	set cmd="$CMP $PARSE_GEN $PARSE_REF"
325	if ($QUIET == NO) then
326	echo $cmd
327	endif
328	$cmd
329	if($status != 0) then
330	echo MISCOMPARE on parsed private keys
331	exit(1)
332	endif
333	endif
334
335	#
336	# cleanup
337	#
338	if($NOCLEAN == NO) then
339	set cmd="rm -f $RAW_PRIV_KEY $RAW_PUB_KEY $SIGFILE $PEM_PRIV_KEY $PARSE_REF $PARSE_GEN"
340	if ($QUIET == NO) then
341	echo $cmd
342	endif
343	$cmd \|\| exit(1)
344	endif